Don’t Open that Attachment: Dramatic Rise in Invoice Phishing

In the month of August, we’ve seen an increase in phishes that involve invoices. This invoice phishing doesn’t seem to consist of particularly targeted attacks. Most of them include generic content any invoice would have. Their generic nature allows them to be sent to anyone in the organization. The worst part is this broadening of targets makes anyone a potential victim.

So here’s what to look out for to avoid falling victim.

Invoice Phishing Payloads

Generally, these messages contain one of two “payloads.” A payload is the malicious goal of the attacker.

One payload we are seeing is a hyperlink that the criminal is hoping the receiver will click. If they do click, the user will be prompted to enter their user ID and password for common services such as Dropbox, Office365, or Google. This allows the attacker to steal passwords from your organization.

The other payload that is common is a Word document that contains malicious macros. These macros deliver persistent malware, allowing the attacker to steal information from you. So if you download the attachment, you may wind up with malware on your computer.

Here is what they look like:

One of our customers encountered one and sent it to us for review (see below.) We let them know it was indeed a phishing attempt:

What to Do about Invoice Phishing

There are a few things that you as an organization can do to defeat these scam invoices. One is to educate your users about them and warn them to be on the lookout. If you are not expecting an invoice from someone, be very wary of opening, clicking, or downloading any attachments. You can send this blog post to your users to show them what to be on the lookout for.

Another step you can take is to install a DNS-based protection solution like Strongarm. With a solution like Strongarm in place, it doesn’t matter if you have an office full of happy clickers who will cheerfully open every email sent their way, click every link, and download every attachment. Strongarm is able to detect outbound communication to compromised websites and stop attackers from successfully carrying out their bad intentions. Think of Strongarm as insurance. While you hope no fire or flood will come your way, it’s best to have a backup plan just in case.